[x]

Configuring IPsec > Configuring the global IPsec SA lifetime and idle timeout

 

 Next

Configuring the global IPsec SA lifetime and idle timeout

About global IPsec SA lifetime and idle timeout

If the IPsec SA lifetime and idle timeout are not configured in an IPsec policy, IPsec policy template, or IPsec profile, the global settings are used.

When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller.

An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires.

Procedure

  1. Enter system view.

    system-view

  2. Set the global IPsec SA lifetime or idle timeout.

    • Set the global IPsec SA lifetime.

      ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

      By default, the time-based SA lifetime is 3600 seconds, and the traffic-based SA lifetime is 1843200 kilobytes.

    • Set the global SA idle timeout.

      ipsec sa idle-time seconds

      By default, the global IPsec SA idle timeout feature is disabled.

prev

 

up

 next

Applying the IPsec profile to an IPv6 routing protocol 

home

 Configuring IPsec fragmentation

© Copyright 2017 Hewlett Packard Enterprise Development LP